HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Just as privacy remains front page news ("Web's Hot New Commodity: Privacy", Wall Street Journal, February 28, 2011), it remains a subject of bi-partisan interest on Capitol Hill. 

Congressional demands for information from companies following news stories about privacy now are routine. E.g. "Markey, Barton Ask Facebook About Plan to Enable Access to Addresses, Mobile Numbers" (February 2, 2011).

On the Senate side, Senator Patrick Leahy (D-VT) has created a first-ever Sub-Committee on Privacy, Technology and the Law within the Judiciary Committee and has appointed Senator Al Franken (D-MN) subcommittee chair. The committee's mandate includes

oversight of laws and policies governing

• the collection, protection, use, and dissemination of commercial information by the private sector, including online behavioral advertising;
• privacy within social networking websites and other online privacy issues;
• enforcement and implementation of commercial information privacy laws and policies;
• use of technology by the private sector to protect privacy, enhance transparency and encourage innovation; privacy standards for the collection, retention, use and dissemination of personally identifiable commercial information;
• and privacy implications of new or emerging technologies.

Senator John Kerry (D-MA) is expected to introduce a comprehensive privacy regulatory bill that may include FTC rulemaking authority with a specific mandate regarding opt-in and opt-out consent for the online collection of personal information. The legislation has been rumored for months, but has yet to be introduced, perhaps owing to the need for coordination between the two committees that now have jurisdiction over privacy issues in the Senate, the Commerce and Judiciary Committees. Commerce Committee Chair Sen. Jay Rockefeller (D-WV) has expressed a strong interest in seeing increased legal protections for privacy.

On the House side,  four major privacy bills have been introduced this year with more likely to come:

• Print

Today the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a civil monetary penalty (CMP) in the amount of $4.3 million on Cignet Health for violations of the HIPAA Privacy Rule. This represents the first CMP imposed by HHS for HIPAA privacy violations.  

When Congress enacted the HITECH law in 2009, it significantly expanded HHS’ enforcement authority and made clear that the agency was expected to use it.   HHS seems to be taking that directive seriously. 

The OCR investigation began in response to complaints filed by Cignet patients attempting to access their medical records in order to seek care from physicians outside the Cignet network. Part of the penalty -- $1.3 million -- was imposed for denying these 41 patients access to their medical records when requested between September 2008 and October 2009. Under the Privacy Rule covered entities are required to provide individuals with access to their medical records within 30 days (and no later than 60 days) of a request.  

An additional $3 million in penalties was assessed against Cignet for its profound failure to cooperate during the agency’s investigation. Specifically, OCR found that Cignet did not cooperate with OCR’s investigations into the complaints and failed to respond to OCR’s demands to produce the records, including failure to respond to a subpoena.  When Cignet did finally respond by providing the records relating to the individuals who had filed complaints, they also produced to OCR medical records for an additional 4,500 individuals for whom the agency had made no request or demand. According to OCR, Cignet had no legitimate basis on which to disclose these records to the agency. 

OCR found that Cignet’s failure to comply with the Privacy Rule and its refusal to cooperate with the investigation amounted to willful neglect, which appears to have led to the imposition of the maximum penalties permitted by law. 

• Print

Two webinars, one afternoon.  On Thursday, February 24, Hogan Lovells Privacy and Information Management Practice Director Chris Wolf will participate in a BNA webinar (along with Senior Governmental Affairs Advisor Nancy Granese of Hogan Lovells and Jules Polonetsky of the Future of Privacy Forum) on privacy developments in Washington, and an Experian webinar on data security breach notification laws (along with Reed Freeman of Morrison & Foerster and Tony Hadley of Experian).  Both pay-to-view programs are open for sign-up now.

What to Expect from Washington in Privacy Law in 2011

Privacy is a non-partisan issue, and 2011 is being viewed as the year in which significant changes may emerge. Media attention has focused on online collection and use of consumer data for marketing purposes, and government access to personal data stored in the “cloud”. Meanwhile, proposals for change in the US privacy framework have emerged from the Federal Trade Commission, Department of Commerce, and the U.S. Congress. Additionally, proposals for privacy law reform have been proposed in the European Union.

This BNA webinar will focus on Washington’s influence on privacy law reform, and provide the insiders' view of what changes are likely coming in 2011.

Program Highlights:

• Learn what the realistic prospects are for new privacy laws and regulations.

• Which privacy best practices may emerge from the recent proposals for reform?

• What will the FTC and the Department of Commerce do in the privacy and data security realm?

• Hear an evaluation of the role of self-regulation.

• Who are the players in Washington who can affect privacy policy changes

You may register here.

State Legislation Past and Present:  The Effects of Data Breach Notification and Resolution

In 2010, security breach-related legislation was revised or newly enacted in five states and introduced in at least 18 additional states. Join us for a discourse on the effects and new developments state laws have imposed on data breach notification and resolution. 

Learn how companies that have experienced breaches have fared given the new laws and what lessons have been learned. Our panel of privacy experts will address specific examples of how data breaches occur and what steps their clients have taken to mitigate the risk of a breach in the first 72 hours. They will investigate how these laws have been applied in real-life scenarios and the implications for:

• Data breaches resulting from third party vendors
   
• Data leakage and referring headers
   
• How breach laws affect medical laws already in place
   
• Cyber risk insurance and what it means to compliance

You may register here.

• Print

On January 19, the Supreme Court decided NASA v. Nelson, a case brought by NASA contractors alleging that questions asked by the federal agency in a background check violated their constitutional right to information privacy -- i.e., a constitutional privacy interest in the government "avoiding the disclosure of personal matters" recognized in a pair of 1977 cases, Whalen v. Roe and Nixon v. Administrator of General Services.  At issue were questions asking whether the contractors received "any treatment or counseling" regarding illegal drug use within the previous year (as a follow up to a question regarding whether they used, possessed, supplied, or manufactured illegal drugs within that year), and questions directed toward references for information bearing on "suitability for government employment or security clearance," including any "adverse information" about a contractor's "honesty or trustworthiness," "violations of the law," "financial integrity," "abuse of alcohol and/or drugs," "mental or emotional stability," "general behavior or conduct," or "other matters."

• Print

Joel Buckman, an associate in Hogan Lovells Privacy and Information Management practice group located in the Washington, D.C office, assisted in the preparation of this entry.

Recent guidance from the National Institute of Standards and Technology (“NIST”) encourages federal agencies to take advantage of cloud computing. It also provides draft security and privacy guidelines for federal agencies to follow when engaging cloud providers. The draft guidelines serve as roadmaps for how to negotiate meaningful privacy and data security protections from cloud providers. Though prepared for federal agencies, the draft guidelines could prove influential to the private sector as an increasing number of private businesses use cloud services. NIST has requested comments on the drafts by no later than February 28, 2011.

• Print

Shining a new spotlight on health data breaches, the Federal Trade Commission recently posted a frequently asked questions guide to medical identity theft for health care providers and insurers. Medical identity theft occurs when one person obtains health care services or prescription drugs using the identity of someone else, or when those working in a health care provider setting use an individual's personal information to submit false bills to an insurer. People victimized by medical identity theft often realize the theft has occurred when they get a bill for a service they did not receive, are contacted by a debt collector for medical bills for services thy never obtained or from doctors they never saw, or are denied insurance because their records are incorrect. The guide makes clear that if a patient reports being a victim of medical identity theft, providers and insurers are expected to conduct an investigation and correct any incorrect information, follow the applicable rules of the Fair Credit Reporting Act, review their data security practices, and provide notification as required under HIPAA or other federal or state security breach notification laws. The guidance for health care providers and insurers follows on guidance posted last month for consumers on how to prevent and detect medical identity theft. 

• Print

The European Data Protection Directive 95/46/EC contains certain restrictions on the export of personal data to a country outside the European Economic Area (“third country”). Whether personal data may be transferred from the EU to a data importer located in a third country has to be assessed on the basis of a two-step test. First, the transfer must be justified on the basis of an explicit legal permission or the data subjects’ consent. Second, the third country where the data importer is located must ensure an adequate level of data protection.

With decision of 31 January 2011 (2011/61/EU), Israel – in addition to Argentina, Canada, Guernsey, Isle of Man and Switzerland – has now formally been recognized by the European Commission as a country which provides an adequate level of protection of personal data. The Israeli Law, Information and Technology Authority ("ILITA") will be the responsible supervisory authority.

Without such formal recognition a data transfer to a third country may only take place on specific conditions or where additional adequate safeguards are adduced (e.g. the conclusion of an appropriate transfer agreement based on the EU standard contractual clauses for the transfer of personal data to third countries).

Against this background, Israel’s formal recognition by the European Commission as a country providing an adequate level of data protection will help to reduce legal uncertainties and administrative efforts. However, before transferring data from the EU to Israel, data exporters should still be aware that the formal recognition only fulfills the second prerequisite of the two-step test outlined above. In any case, the data transfer itself requires a legal justification.

The EU Commission’s decision is available at the Commission's website.

• Print

Cisco has launched a Privacy and Security Compliance Journey web site with a variety of useful materials and resources. Here is how Van Dang, Vice-President, Law and Deputy General Counsel of Cisco describes it:

We want to share with our customers, colleagues in other legal departments and other interested parties our privacy and security compliance journey - and it is a journey since the legal framework and regulations in this area are still evolving. We hope you will find useful materials and resources featured in each tab below. We also hope that you will share your best practices and give us feedback on how we can improve. Cisco is pleased to host this collaborative site in support of the privacy community and is committed to continuously refreshing content, so please bookmark the site for future reference.

Hogan Lovells is pleased to have its primer on legal issues in Cloud Computing including privacy and data security concerns as the first featured content on the Cisco site.

• Print